Nordea Replaces Multiple Systems with a Single Integrated Risk Management Application

Introduction

At a recent GRC Summit, Jacob Holmehave, Head of Group Risk Office, Nordea, and Brian F. Sorensen, Chief Execution Officer – Group Risk Change Management, Nordea, walked the audience through their GRC journey with MetricStream and their learnings along the way. Nordea is the biggest bank in the Nordic region with around 10 million customers.

Here are the key takeaways from Jacob and Brian’s session.

Embarking of the GRC Journey

Jacob: Our MetricStream journey started a few years back. There have been some good successes along with some learnings.

A few years ago, we embarked on what we call IRMA, the Integrated Risk Management Application. In 2020, the European Central Bank (ECB) conducted an onsite inspection of our compliance processes, and, unfortunately, their feedback was less than favorable. This prompted us to critically assess how we were operating. It became clear that we needed to change our approach, but it also presented an opportunity to upgrade some of the underlying solutions and technical aspects. Additionally, we took the chance to review our non-financial risk processes.

The implementation of IRMA is a collaborative initiative, requiring active participation from individuals across the entire bank.

Challenges & Objectives

Brian: Our initial approach was heavily process-driven, as the governance was structured around established frameworks. The structures were in place, but the system remained manual, requiring data to be transferred between different processes, with each process capturing its own required information. There was little interaction or utilization across these processes.

We had over 50 operational and reporting processes, with each business area creating its own version based on a common framework. A considerable amount of time was invested in these efforts. We also had more than 10 applications—some homegrown, others customized GRC applications that, over time, became difficult to revert to standardization. This included numerous user-developed tools, such as Excel sheets. On the human side, this resulted in significant effort being expended, but the actual value was unclear.

Jacob: We had about 10 different systems spread across the bank, along with hundreds of Excel sheets, SharePoint sites, and similar tools. The goal was to consolidate all of this into one enterprise application.

We also aimed for a common, integrated data model and decided to adopt a cloud-based solution, which at that time was not something we had done at Nordea.

Additionally, we committed to an out-of-the-box solution with no customization. The concept was to reverse the usual approach—rather than having the processes dictate the system, we wanted the system to dictate the processes.

Implementation & Business Value Realized

Brian: Phase-1 was focused on Simplification setting the foundation for phase two at a later stage. Our objectives were to:

• Build on common capabilities rather than processes. For example, risk assessments or controls should not be embedded into each process but instead viewed and governed across the organization.
• Standardize – Use the same processes throughout the enterprise so that we follow consistent standards. 
• Implement IRMA resulting in one application. The existing applications would need to be decommissioned. 
• Establish a Common Reporting Solution – one database, one reporting system, ensuring we all draw from the same data source.
• Significantly reduce the workload for both first and second-line teams while aiming to create real business value

We began in September 2021 with the Regulatory Directory, organizing our work areas, which resulted in managing approximately 32,000 obligations. In March 2022, we implemented RCSA, followed by Compliance, where we reassessed our approach.

Instead of rolling it out product by product, we recognized that development could be accelerated by focusing on capabilities. With RCSA in place, we leveraged the same functionality for Principal Financial Controls (PFCs), which is equivalent to SOX. We rolled this out using Operational Risk Management (ORM), applying what we had learned from risk assessment, control assessment, and control testing, and added other libraries while maintaining the same structure. This sped up the process, expanded coverage, and facilitated broader deployment.

We also rolled out Issue and Action Management across all three lines of defense. This meant that, upon going live, first-line, second-line, and audit issues were all rolled out simultaneously, along with a migration.

Benefits

• Using the single IRMA tool reduces operational costs by 50% and simplifies development.
• One tool supports day-to-day risk management.
• Improved quality through the introduction of a common golden source and risk visualization.

Looking Ahead

We plan to do a version upgrade every year. We upgraded from Arno to Colorado, and early next year, we will upgrade to Euphrates. This annual schedule ensures we don't fall behind.

Currently, we are focused on creating a common reporting solution for non-financial risk management. We are integrating IRMA data into our Common Data Platform and building a reporting solution on top of it. This setup will allow us to pull data from various sources, creating a unified reporting unit.

You can watch the complete session here:

Find out more about what our other customers have to say:

• How Autodesk Moved from Siloed to Integrated IT Risk and Compliance Processes
• How American Fidelity Assurance Enhanced Third-Party Risk Management and IT Compliance Functions
• Apple Bank Enhances and Streamlines Cyber Risk Management Program with MetricStream
• GRC Success Story: How dnata Integrated Firm-Wide GRC Processes with MetricStream